strongswan/src/libstrongswan/plugins/ntru/ntru_ke.c

/*
 * Copyright (C) 2013 Andreas Steffen
 * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "ntru_ke.h"
#include "ntru_plugin.h"

#include "ntru_crypto/ntru_crypto.h"

#include <crypto/diffie_hellman.h>
#include <utils/debug.h>

typedef struct private_ntru_ke_t private_ntru_ke_t;

/**
 * Private data of an ntru_ke_t object.
 */
struct private_ntru_ke_t {
	/**
	 * Public ntru_ke_t interface.
	 */
	ntru_ke_t public;

	/**
	 * Diffie Hellman group number.
	 */
	u_int16_t group;

	/**
	 * NTRU Parameter Set ID
	 */
	NTRU_ENCRYPT_PARAM_SET_ID param_set_id;

	/**
	 * Cryptographical strength in bits of the NTRU Parameter Set
	 */
	u_int32_t strength;

	/**
	 * NTRU Public Key
	 */
	chunk_t pub_key;

	/**
	 * NTRU Private Key
	 */
	chunk_t priv_key;

	/**
	 * NTRU encrypted shared secret
	 */
	chunk_t ciphertext;

	/**
	 * Shared secret
	 */
	chunk_t shared_secret;

	/**
	 * True if peer is responder
	 */
	bool responder;

	/**
	 * True if shared secret is computed
	 */
	bool computed;

	/**
	 * Deterministic Random Bit Generator
	 */
    DRBG_HANDLE drbg;
};

METHOD(diffie_hellman_t, get_my_public_value, void,
	private_ntru_ke_t *this, chunk_t *value)
{
    uint16_t pub_key_len, priv_key_len;

	*value = chunk_empty;

	if (this->responder)
	{
		if (this->ciphertext.len)
		{
			*value = chunk_clone(this->ciphertext);
		}
	}
	else
	{
		if (this->pub_key.len == 0)
		{
			/* determine the NTRU public and private key sizes */
			if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set_id,
								&pub_key_len, NULL,
				 				&priv_key_len, NULL) != NTRU_OK)
			{
				DBG1(DBG_LIB, "error determining NTRU public and private key "
							  "sizes");
				return;
			}
			this->pub_key  = chunk_alloc(pub_key_len);
			this->priv_key = chunk_alloc(priv_key_len);

			/* generate a random NTRU public/private key pair */
		    if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set_id,
								&pub_key_len, this->pub_key.ptr,
				 				&priv_key_len, this->priv_key.ptr) != NTRU_OK)
			{
				DBG1(DBG_LIB, "NTRU keypair generation failed");
				chunk_free(&this->priv_key);
				chunk_free(&this->pub_key);
				return;
			}
			DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key);
			DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key);
		}
		*value = chunk_clone(this->pub_key);
	}
}

METHOD(diffie_hellman_t, get_shared_secret, status_t,
	private_ntru_ke_t *this, chunk_t *secret)
{
	if (!this->computed || !this->shared_secret.len)
	{
		return FAILED;
	}
	*secret = chunk_clone(this->shared_secret);

	return SUCCESS;
}


METHOD(diffie_hellman_t, set_other_public_value, void,
	private_ntru_ke_t *this, chunk_t value)
{
	u_int16_t plaintext_len, ciphertext_len;

	if (this->priv_key.len)
	{
		/* initiator decrypting shared secret */
		this->ciphertext = chunk_clone(value);
		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);

		/* determine the size of the maximum plaintext */
    	if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
								this->ciphertext.len, this->ciphertext.ptr,
								&plaintext_len, NULL) != NTRU_OK)
		{
			DBG1(DBG_LIB, "error determining maximum plaintext size");
			return;
		}
		this->shared_secret = chunk_alloc(plaintext_len);

		/* decrypt the shared secret */
    	if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
						this->ciphertext.len, this->ciphertext.ptr,
						&plaintext_len, this->shared_secret.ptr) != NTRU_OK)
		{
			DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
			chunk_free(&this->shared_secret);
			return;
		}
		this->shared_secret.len = plaintext_len;
		this->computed = TRUE;
	}
	else
	{
		/* responder generating and encrypting the shared secret */
		this->responder = TRUE;
		this->pub_key = chunk_clone(value);

		/* shared secret size is chosen as twice the cryptographical strength */
		this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);

		/* generate the random shared secret */
		if (ntru_crypto_drbg_generate(this->drbg, this->strength,
			this->shared_secret.len, this->shared_secret.ptr) != DRBG_OK)
		{
			DBG1(DBG_LIB, "generation of shared secret failed");
			chunk_free(&this->shared_secret);
			return;
		}

		/* determine the size of the ciphertext */
		if (ntru_crypto_ntru_encrypt(this->drbg,
							this->pub_key.len,	this->pub_key.ptr,
							this->shared_secret.len, this->shared_secret.ptr,
                            &ciphertext_len, NULL) != NTRU_OK)
		{
			DBG1(DBG_LIB, "error determining ciphertext size");
			return;
		}
		this->ciphertext = chunk_alloc(ciphertext_len);
		this->computed = TRUE;

		/* encrypt the shared secret */
		if (ntru_crypto_ntru_encrypt(this->drbg,
							this->pub_key.len,	this->pub_key.ptr,
							this->shared_secret.len, this->shared_secret.ptr,
                            &ciphertext_len, this->ciphertext.ptr) != NTRU_OK)
		{
			DBG1(DBG_LIB, "NTRU encryption of shared secret failed");
			chunk_free(&this->ciphertext);
			return;
		}
		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
	}
}

METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
	private_ntru_ke_t *this)
{
	return this->group;
}

METHOD(diffie_hellman_t, destroy, void,
	private_ntru_ke_t *this)
{
    if (ntru_crypto_drbg_uninstantiate(this->drbg) != DRBG_OK)
	{
		DBG1(DBG_LIB, "error uninstantiating DRBG");
	}
	chunk_free(&this->pub_key);
	chunk_free(&this->ciphertext);
	chunk_clear(&this->priv_key);
	chunk_clear(&this->shared_secret);
	free(this);
}

/*
 * Described in header.
 */
ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
{
	private_ntru_ke_t *this;
	char personalization_str[] = "strongSwan NTRU-KE";
	NTRU_ENCRYPT_PARAM_SET_ID param_set_id;
	DRBG_HANDLE drbg;
	u_int32_t strength;

	/**
	 * We are selecting the X9.98 / IEEE 1363.1 parameter sets
	 * which balance speed and bandwidth
	 */
	switch (group)
	{
		case NTRU_112_BIT:
			strength = 112;
			/* param_set_id = NTRU_EES541EP1; */
			param_set_id = NTRU_EES401EP2;
			break;
		case NTRU_128_BIT:
			strength = 128;
			/* param_set_id = NTRU_EES613EP1; */
			param_set_id = NTRU_EES439EP1;
			break;
		case NTRU_192_BIT:
			strength = 192;
			/* param_set_id = NTRU_EES887EP1; */
			param_set_id = NTRU_EES593EP1;
			break;
		case NTRU_256_BIT:
			strength = 256;
			/* param_set_id = NTRU_EES1171EP1; */
			param_set_id = NTRU_EES743EP1;
			break;
		default:
			return NULL;
	}

    if (ntru_crypto_drbg_instantiate(strength,
						personalization_str, strlen(personalization_str),
						(ENTROPY_FN) &ntru_plugin_get_entropy, &drbg) != DRBG_OK)
 	{
		DBG1(DBG_LIB, "error instantiating DRBG at %u bit security", strength);
        return NULL;
	}
	else
	{
    	DBG2(DBG_LIB, "instantiated DRBG at %u bit security", strength);
	}

	INIT(this,
		.public = {
			.dh = {
				.get_shared_secret = _get_shared_secret,
				.set_other_public_value = _set_other_public_value,
				.get_my_public_value = _get_my_public_value,
				.get_dh_group = _get_dh_group,
				.destroy = _destroy,
			},
		},
		.group = group,
		.param_set_id = param_set_id,
		.strength = strength,
		.drbg = drbg,
	);

	return &this->public;
}